<div class='slidealt'>Experience kvm <a title='virtualization for embedded heterogeneous arm core platforms' href='/en/products'>virtualization extensions</a></div> <div class='slidealt'>Benefit from custom <a title='kvm on arm services full virtualization' href='/en/services'>virtualization services</a></div> <div class='slidealt'>KVM on ARMv7 and ARMv8 <a title='kvm-on-arm open source smu extensions' href='/en/solutions/guides/vfio-on-arm/'>IOMMU full virtualization</a></div> <div class='slidealt'>Virtualization research projects <a title='ARM multicore kvm open source' href='/en/research'>in cloud and embedded systems</a></div> <div class='slidealt'>Virtualization solutions for heterogeneous <a title='ARMv7-ARMv8 virtualization open source solutions' href='/en/solutions'>ARM multicore systems</a></div>

Virtual Open Systems Scientific Publications

Cloud & Edge Trusted Virtualized Infrastructure Manager (VIM) - Security and Trust in OpenStack

Cloud & Edge Trusted Virtualized Infrastructure Manager (VIM) - Security and Trust in OpenStack

Event

2nd Workshop on 5G Cloud-Native Design (5GCND) in conjunction with IEEE Wireless Communications and Networking Conference (IEEE WCNC 2019), Marrakech, Morocco.

IEEE Wireless Communications and Networking Conference - IEEE WCNC 2019

Keywords

Security, virtualization, cloud, edge computing, Trusted Execution Environment, TEE, OP-TEE, Arm TrustZone, VIM, Virtualized Infrastructure Manager, OpenStack

Authors

Teodora Sechkova, Enrico Barberis, Michele Paolino

Acknowledgement

This work has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 761508 (H2020 5GCity project).

Abstract

The Fifth Generation (5G) mobile networks promise faster connectivity and futuristic applications and services. In order to meet the high expectations, 5G joins forces with virtualization technologies like Network Functions Virtualization (NFV) and adopts cloud-native solutions. At the same time, it relies on shifting the computation to the network edge for offloading computing power, local caching, minimized latency and flexibility in the deployment. However, the new opportunities unlock new security challenges. Man-in-the-middle, denial-of-service attacks and tampering are now becoming easier because of the scattered devices and their varying locations. Meanwhile, the dynamic nature of the cloud raises the need for on-time threats prevention.

In this work, we propose a way to answer the new challenges by bringing trust into the virtualized edge infrastructure. We present our contributions to the development of security services for platform authentication and integrity, hosted inside a Trusted Execution Environment (TEE). We also evaluate the performance overhead of our work and suggest future improvements.

Introduction

The Fifth Generation (5G) mobile networks are promising greater data capacity and speed as well as enabling new applications and services. Cloud computing and virtualization have become an integral part of these networks that are today becoming more dynamic and agile thanks to cloud-native and edge computing technologies. In particular, edge computing brings the benefits of reduced network traffic, location-awareness and low-latency while cloud-native solutions improve performance and reduce cloud services footprint. However, both open new security challenges. In fact, the edge computing scattered architecture and the wireless connectivity increase the risk of man-in-the-middle attacks, with a major threat of device tampering or replacement. Moreover, cloud-native solutions aim to simplify all levels of the 5G software stack, optimizing it for cloud execution and removing unnecessary dependencies with bare metal solutions. Nevertheless, they significantly rely on the virtualization infrastructure for security. Among the many known aspects of the cloud-native and edge security, the protection of the virtualization infrastructure and the platform integrity are the focus of this work.

We propose a trusted edge computing infrastructure based on Arm edge devices. In addition, we add attestation extensions to OpenStack, one of the most widely adopted open-source cloud managers. The combination of a remote attestation integrated into the virtualized infrastructure management software and a trusted pool of devices brings a secure and trusted virtualized edge.

As part of this work, we perform a series of measurements showing the trade-off between performance and increased security. The experiments are conducted using standard virtual machines (VMs), showing the worst-case scenario in terms of guest boot times. However, the same concept is still applicable when working with unikernels or containers which can achieve a faster boot.

Access the full content of this publication

Login or register to access full information